Oracle Issues Critical Patch

Officials at Oracle released the company's quarterly allotment of security fixes earlier this week, plugging 49 vulnerabilities in its software line.

The update also includes a number of non-security patches that are needed because of interdependency issues with the security patches. The "Critical Patch Update" affects the Oracle Database Server, Application Server, E-Business and Applications, and Enterprise Manager suites.

According to the Oracle security advisory, none of the 12 database-related vulnerabilities affect client-only machines; end user machines that only touch the database are safe, it notes, if the last security patch was installed.

The U.S. Computer Emergency Response Team (CERT) said in an advisory note Wednesday that potential consequences include remote execution of arbitrary code, Denial-of-Service attacks and disclosure of sensitive information. The database compromises, the CERT note adds, could lead to the loss of credit card numbers, Social Security numbers, and health and patient information.

Oracle's method for disclosing security vulnerabilities is much different than the means by which other software vendors disclose security bugs in their systems.

Whereas some organizations, such as the open source Mozilla Foundation, will provide links giving full disclosure, or commercial entities like Microsoft will provide partial disclosure in its monthly updates with severity ratings, Oracle provides none.

Michael Sutton, director of iDefense Labs, said that while there's a fine line to walk between full disclosure and none, Oracle's method is very dangerous to the customers it serves.

"You have to provide your client with enough information so that they can do their own risk assessment, so that they can say, 'in my environment this is critical, I have to patch it now,'" he said.

The company makes it hard for customers to figure out just what vulnerabilities are affecting some of their products.

For example, customers who buy E-Business Suite or Collaboration Suite applications must sift through previous security patches to find out what patches to install, since patches to the two product suites are not cumulative. Database Server, Enterprise Manager and Application Server updates, however, are cumulative.

Oracle's disclosure policy also makes it difficult for security firms like iDefense to determine whether the vulnerabilities they discover in the course of their own investigations are addressed by the patch updates.

The whole process gives malware writers an advantage, Sutton said, because where customers have virtually no information to do a risk assessment, malicious hackers have all they need.

"Once you release a patch you're releasing very intimate details about a vulnerability," he said. "So somebody could take that patch, reverse-engineer it and understand where the vulnerability is, and then write an exploit."

Oracle has moved back and forth on its security update policy.

In August 2004, the company moved from issuing patches on a yearly or quarterly basis to a monthly one.

That only lasted three months, when Oracle couldn't meet the deadlines for the monthly updates, and the patches it did release broke some of its customers applications. The company moved to a quarterly update process in November.